Regarding the risk posed by these ultra-fast cracking farms, check out Steve Gibson’s “password haystack”. And remember that these fast-crackers are only relevant to physical access cases — where the bad guys either have your computer/device, or they have physical access to a site's password hash files. If you have a 30-character passphrase you are probably safe from even the direct physical attacks. Do make sure your phrase is not in a dictionary, which you can easily ensure by adding say ….. somewhere.

Bandits trying to brute force your Gmail account over the internet are limited to a max attack rate of 100 to around 1000 guesses/second.

To foil that sort of attack we think it is important to “silo” key accounts with unique email addresses – which do help to create a higher security fence. E.g., we create a unique email address for each high-value account, such as Apple, Google, Gmail, bank, brokerage, etc..

So make sure each such account has a unique email/login and unique/strong passphrase. I expect someday one of our key accounts will be compromised, maybe by an insider. Then we will be really glad that account was in its own silo.

Lastly, here is Steve Gibson's analysis of one of our 26 character passwords. Note that even the 25 GPU Monster will need about 10 trillion centuries to stumble on to this one (at 348 billion guesses / second).